06-01-2009 07:30 PM - edited 03-11-2019 08:38 AM
Hi,
Are there any issues in configuring failover between an ASA with an IPS module and an ASA without?
As the status of the module is reported on during failover monitoring my guess is that it can't be done.
Has anyone tried this ?
Leon
06-02-2009 09:06 AM
In an active/standby scenario, the failover process will shut down automatically because the hardware is not the same on both ASAs. You will either need to add another AIP-SSM or pull the existing one for the failover to function.
11-16-2010 07:38 AM
I have a related question about this scenario, so I figured I'd reply here rather than create a new topic.
I have an ASA 5505 (with security plus license) with the AIP Intrusion prevention module.
I just purchased another ASA 5505 (with security plus license).
From the post above, I have gathered that in order to have failover function at all, I must also get the AIP card for the second ASA.
I am wondering if there are any other restrictions as far as what must be the same on the second ASA. Is it enough that both ASAs have Sec-plus licenses or is there something else that I'm missing? I saw something mentioned elsewhere that an "unrestricted" license is needed for the primary... what exactly does this mean?
Thanks,
Paul
11-16-2010 09:59 AM
Hi,
Here's the details of what all need to match for failover :
The "unrestricted" license thing is onlny for PIXs and not for ASAs and hence you do not need to bother about it. Also, youa re right about needing to purchase another IPS card for the other ASA. Hope that clears things out.
Cheers,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide